dl.exe

  1. 13-12-2005  #1
    santetjan
    santetjan is offline Newbie

    dl.exe

    Greetings.

    I'm sorry if I'm not supposed to make a new thread of this; in an old thread concerning this file, one member was advised to make a new thread, so I thought I should do the same.
    Tonight, when opening mplayerc.exe (and ONLY then), I got a DOS-like screen opening, with dl.exe being placed in the same folder as mplayerc.exe. I can't seem to get rid of it, and when browsing google, I found the file to be some sort of virus.
    The file says some program is still using it when I try to delete, but I can't find anything out of the ordinary. Nothing new is visible in my registry, too.
    I have scanned my computer with ad-aware just now, and wasn't able to find anything (except some tracking cookies, which I deleted). After this, I made a HijackThis log. I've placed HijackThis, as was recommended, in C:\hjt
    I'm running on Windows XP Pro - if any other information is required, please ask.
    (By the way, the file seems to be only 5.45kB in size.)

    My HijackThis log looked like this:
    Logfile of HijackThis v1.99.1
    Scan saved at 3:12:17, on 13-12-2005
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Winamp3\winampa.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T 1.EXE
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T 1.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\FreeMem Standard\freemem.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\mIRC\mirc.exe
    C:\sysreset\mirc.exe
    C:\Program Files\Sonique\sqstart.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Sonique\Sonique.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\hjt\hijackthis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [dircp] C:\WINDOWS\dircp.exe
    O4 - HKLM\..\Run: [\\TATS\EPSON Stylus C46 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T 1.EXE /P30 "\\TATS\EPSON Stylus C46 Series" /O6 "USB001" /M "Stylus C46"
    O4 - HKLM\..\Run: [Automatisch EPSON Stylus C46 Series op TATS] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T 1.EXE /P43 "Automatisch EPSON Stylus C46 Series op TATS" /O15 "\\TATS\EPSONSty" /M "Stylus C46"
    O4 - HKLM\..\Run: [\\BECCIE\EPSON Stylus C46 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T 1.EXE /P32 "\\BECCIE\EPSON Stylus C46 Series" /O6 "USB001" /M "Stylus C46"
    O4 - HKLM\..\Run: [Automatisch EPSON Stylus C46 Series op BECCIE] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T 1.EXE /P45 "Automatisch EPSON Stylus C46 Series op BECCIE" /O17 "\\BECCIE\EPSONSty" /M "Stylus C46"
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [FreeMem Pro] "C:\Program Files\FreeMem Standard\freemem.exe" Startup
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [SoniqueQuickStart] C:\Program Files\Sonique\sqstart.exe -nostick
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1126641881848
    O23 - Service: distributed.net client (dnetc) - Unknown owner - C:\Program Files\Ircow\dnetc.exe (file missing)
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe
    O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcSandraSrv.exe


    I'm hoping it's just something that came with media player classic, but I fear it's worse. If anything is wrong, please help me.

    Sincerely,

    Tjan.
    Last edited by santetjan; 13-12-2005 at 03:02 AM.
  2. 13-12-2005  #2
    VopThis
    VopThis is offline Senior Member (Canada)
    Scan unknown files for viruses
    Please go to this website and submit the following files (copy and paste each full file PATH) for possible Viruses/Trojans detection analysis and immediate feedback:
    http://virusscan.jotti.org/

    Submit these files:

    dl.exe (locate full path)

    Let us know what the results were for the file(s).





    Please download, install, update and scan your system with the free (trial) version of Ewido trojan scanner:
    1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
    2. When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
    3. From the main ewido screen, click on update in the left menu, then click the Start update button.
    4. After the update finishes (the status bar at the bottom will display "Update successful"), click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run, so time to go get a drink and a snack....
    5. If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
    6. When the scan finishes, click on "Save Report". This will create a text file. Please then paste the contents of the text file to this thread.


    REBOOT.


    Run the following anti-virus/malware tools:

    Get the stinger here:
    http://vil.nai.com/vil/stinger/

    Download it to another computer if need be, and bring it to the affected computer on floppy disk.

    It will kill the top 40 virus files if any are found there


    Then,

    Run these two online virus/malware scanners ( Trendmicro Housecall, Panda Activescan) following these instructions below:
    http://forums.thatcomputerguy.us/ind...showtopic=5122

    Let them fix what they can. Reboot between scans.

    Take note of any FILES that couldn't be deleted. Post any undeletable items and any available LOGS back here (IMPORTANT FEEDBACK) AND go after such FILES yourself if you want (preferably in SAFE MODE - reboot tapping the F8 key) .

    These scans will take more than an hour to complete, so make sure you have time to let them run all the way through.
    (let us know if any files couldn't be deleted/cleaned.)


    Reboot
    Post a new HJT log with any detailed feedback from the scans. How are things now behaving: any new or remaining apparent issues?
  3. 14-12-2005  #3
    santetjan
    santetjan is offline Newbie
    So, in the end I seem to have had a slight case of Tenga.a. I've spend a whole day scanning, rescanning, overscanning, and maybe even counterscanning, and I think I've managed to get the worm out of all the infected files and patch up the system. Thing is, though, that I still can't seem to be able to get rid of the dl.exe, which, as far as I know, shouldn't be able to do anything right about now.

    Well then, virusscan.jotti.org couldn't find anything wrong with the file itself, and neither could avast!, ewido, stinger, and panda (trendmicro was acting funny - maybe the site was down-ish?); bot avast! and panda did however locate and eliminate infections of tenga.a in .exe-files.
    I've created reports of the ewido- and panda-scans, and will post them here, followed by a new HijackThis-report. If one is able to still find anything wrong, please help me out here, since I don't seem to be able to make anything out of the buckets of information found on the net (which is often conflicting): I'm really out of my depth here. (I will, incidentally, root out the spyware mentioned in Panda, but that isn't my main problem here.)

    Ewido:
    ---------------------------------------------------------
    ewido security suite - Scan rapport
    ---------------------------------------------------------

    + Gemaakt op: 16:37:58, 13-12-2005
    + Rapport samenvatting: DA49CF6F

    + Scan resultaten:

    C:\Documents and Settings\Kabouter Plop\Cookies\kabouter plop@adorigin[2].txt -> Spyware.Cookie.Adorigin : Schoongemaakt met een backup
    C:\Documents and Settings\Kabouter Plop\Cookies\kabouter plop@com[1].txt -> Spyware.Cookie.Com : Schoongemaakt met een backup
    C:\Documents and Settings\Kabouter Plop\Cookies\kabouter plop@cz6.clickzs[1].txt -> Spyware.Cookie.Clickzs : Schoongemaakt met een backup
    C:\Documents and Settings\Kabouter Plop\Cookies\kabouter plop@cz8.clickzs[2].txt -> Spyware.Cookie.Clickzs : Schoongemaakt met een backup
    C:\Documents and Settings\Kabouter Plop\Cookies\kabouter plop@oxcash[2].txt -> Spyware.Cookie.Oxcash : Schoongemaakt met een backup
    C:\Documents and Settings\Kabouter Plop\Cookies\kabouter plop@www.hightrafficads[2].txt -> Spyware.Cookie.Hightrafficads : Schoongemaakt met een backup
    C:\Documents and Settings\Kabouter Plop\Cookies\kabouter plop@www.myaffiliateprogram[2].txt -> Spyware.Cookie.Myaffiliateprogram : Schoongemaakt met een backup
    C:\Documents and Settings\Kabouter Plop\Local Settings\Temp\BDECache\bde9F.tmp/bdedetect1.dll -> Adware.BrilliantDigital : Fout gedurende het schoonmake
    C:\Documents and Settings\Kabouter Plop\Local Settings\Temp\BDECache\bde9F.tmp/bdeclean.exe -> Adware.BrilliantDigital : Fout gedurende het schoonmake
    C:\Documents and Settings\Kabouter Plop\Local Settings\Temp\BDECache\bdeB.tmp/bdeinsta25.dll -> Adware.BrilliantDigital : Fout gedurende het schoonmake
    C:\Documents and Settings\Kabouter Plop\Local Settings\Temp\BDECache\bdeF.tmp/BDESac24.dll -> Adware.BrilliantDigital : Fout gedurende het schoonmake
    C:\Documents and Settings\Kabouter Plop\Local Settings\Temp\EACDownload\scan_temp.exe -> Spyware.eAcceleration : Schoongemaakt met een backup
    C:\Documents and Settings\LeiFje\Cookies\leifje@ad.adition[1].txt -> Spyware.Cookie.Adition : Schoongemaakt met een backup
    C:\Documents and Settings\LeiFje\Cookies\leifje@adopt.specificclick[1].txt -> Spyware.Cookie.Specificclick : Schoongemaakt met een backup
    C:\Documents and Settings\LeiFje\Cookies\leifje@burstnet[2].txt -> Spyware.Cookie.Burstnet : Schoongemaakt met een backup
    C:\Documents and Settings\LeiFje\Cookies\leifje@com[1].txt -> Spyware.Cookie.Com : Schoongemaakt met een backup
    C:\Documents and Settings\LeiFje\Cookies\leifje@download.com[1].txt -> Spyware.Cookie.Com : Schoongemaakt met een backup
    C:\Documents and Settings\LeiFje\Cookies\leifje@www.burstbeacon[2].txt -> Spyware.Cookie.Burstbeacon : Schoongemaakt met een backup
    C:\Documents and Settings\LeiFje\Cookies\leifje@www.clickhype[1].txt -> Spyware.Cookie.Clickhype : Schoongemaakt met een backup
    C:\Documents and Settings\LeiFje\Cookies\leifje@www.myaffiliateprog ram[1].txt -> Spyware.Cookie.Myaffiliateprogram : Schoongemaakt met een backup
    C:\Documents and Settings\LeiFje\Cookies\leifje@y-1shz2prbmdj6wvny-1sez2pra2dj6wjk4gnajohqqqdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Schoongemaakt met een backup
    C:\Documents and Settings\Tjan\Cookies\tjan@adorigin[2].txt -> Spyware.Cookie.Adorigin : Schoongemaakt met een backup
    C:\Documents and Settings\Tjan\Cookies\tjan@ads.adorigin[1].txt -> Spyware.Cookie.Adorigin : Schoongemaakt met een backup
    C:\Documents and Settings\Tjan\Cookies\tjan@com[2].txt -> Spyware.Cookie.Com : Schoongemaakt met een backup
    C:\Documents and Settings\Tjan\Cookies\tjan@cz4.clickzs[1].txt -> Spyware.Cookie.Clickzs : Schoongemaakt met een backup
    C:\Documents and Settings\Tjan\Cookies\tjan@oxcash[2].txt -> Spyware.Cookie.Oxcash : Schoongemaakt met een backup
    C:\Documents and Settings\Tjan\Cookies\tjan@www.hightrafficads[1].txt -> Spyware.Cookie.Hightrafficads : Schoongemaakt met een backup
    C:\Documents and Settings\Tjan\Cookies\tjan@www.myaffiliateprogram[2].txt -> Spyware.Cookie.Myaffiliateprogram : Schoongemaakt met een backup
    C:\Documents and Settings\Tjan.AKIKO\Application Data\vqoicrou.exe -> Spyware.Lop : Schoongemaakt met een backup
    C:\Documents and Settings\Tjan.AKIKO\Cookies\tjan@abetterinternet[1].txt -> Spyware.Cookie.Abetterinternet : Schoongemaakt met een backup
    C:\Documents and Settings\Tjan.AKIKO\Cookies\tjan@ad.adition[1].txt -> Spyware.Cookie.Adition : Schoongemaakt met een backup
    C:\Documents and Settings\Tjan.AKIKO\Cookies\tjan@adorigin[1].txt -> Spyware.Cookie.Adorigin : Schoongemaakt met een backup
    C:\Documents and Settings\Tjan.AKIKO\Cookies\tjan@ads.adorigin[1].txt -> Spyware.Cookie.Adorigin : Schoongemaakt met een backup
    C:\Documents and Settings\Tjan.AKIKO\Cookies\tjan@ads06.bpath[1].txt -> Spyware.Cookie.Bpath : Schoongemaakt met een backup
    C:\Documents and Settings\Tjan.AKIKO\Cookies\tjan@ads20.bpath[2].txt -> Spyware.Cookie.Bpath : Schoongemaakt met een backup
    C:\Documents and Settings\Tjan.AKIKO\Cookies\tjan@com[2].txt -> Spyware.Cookie.Com : Schoongemaakt met een backup
    C:\Documents and Settings\Tjan.AKIKO\Cookies\tjan@cz3.clickzs[1].txt -> Spyware.Cookie.Clickzs : Schoongemaakt met een backup
    C:\Documents and Settings\Tjan.AKIKO\Cookies\tjan@ivwbox[1].txt -> Spyware.Cookie.Ivwbox : Schoongemaakt met een backup
    C:\Documents and Settings\Tjan.AKIKO\Cookies\tjan@orf.oewabox[2].txt -> Spyware.Cookie.Oewabox : Schoongemaakt met een backup
    C:\Documents and Settings\Tjan.AKIKO\Cookies\tjan@oxcash[2].txt -> Spyware.Cookie.Oxcash : Schoongemaakt met een backup
    C:\Documents and Settings\Tjan.AKIKO\Cookies\tjan@www.burstbeacon[1].txt -> Spyware.Cookie.Burstbeacon : Schoongemaakt met een backup
    C:\Documents and Settings\Tjan.AKIKO\Cookies\tjan@www.myaffiliatepr ogram[1].txt -> Spyware.Cookie.Myaffiliateprogram : Schoongemaakt met een backup
    C:\Documents and Settings\Tjan.AKIKO\Cookies\tjan@www.statcounter[1].txt -> Spyware.Cookie.Statcounter : Schoongemaakt met een backup
    C:\Documents and Settings\Tjan.AKIKO\Local Settings\Temp\asmfiles.cab/asm.exe -> Spyware.Altnet : Fout gedurende het schoonmake
    C:\Documents and Settings\Tjan.AKIKO\Local Settings\Temp\Rem7DA.exe -> Spyware.Lop : Schoongemaakt met een backup
    C:\Program Files\Mozilla Firefox\plugins\npWTHost.dll -> Spyware.WildTangent : Schoongemaakt met een backup
    C:\WINDOWS\system32\mscjjn.dll -> Spyware.180Solutions : Schoongemaakt met een backup
    C:\WINDOWS\system32\msiaih.dll -> Spyware.Ipend : Schoongemaakt met een backup
    C:\WINDOWS\system32\msjpok.dll -> Dropper.Siboco.d : Schoongemaakt met een backup
    C:\WINDOWS\wt\wtvh.dll -> Spyware.WildTangent : Schoongemaakt met een backup


    ::Einde rapport
  4. 14-12-2005  #4
    santetjan
    santetjan is offline Newbie
    (Sorry, didn't fit in one post.)

    Panda (1):
    Incident Status Location

    Spyware:spyware/whazit Not desinfected C:\WINDOWS\SYSTEM32\kyf.dat
    Adware:adware/sidesearch Not desinfected C:\PROGRAM FILES\Lycos
    Adware:adware/downloadware Not desinfected C:\PROGRAM FILES\MediaLoads
    Spyware:spyware/apropos Not desinfected C:\PROGRAM FILES\SysAI
    Adware:adware/ncase Not desinfected C:\WINDOWS\SYSTEM32\FLEOK
    Adware:adware/gator Not desinfected Windows Registry
    Dialerialer.VG Not desinfected C:\dialler.exe
    Adware:Adware/BrilliantDigitalNot desinfected C:\Documents and Settings\Kabouter Plop\Local Settings\Temp\BDECache\bde9F.tmp[bdedetect1.dll]
    Adware:Adware/BrilliantDigitalNot desinfected C:\Documents and Settings\Kabouter Plop\Local Settings\Temp\BDECache\bdeB.tmp[bdeinsta25.dll]
    Adware:Adware/BrilliantDigitalNot desinfected C:\Documents and Settings\Kabouter Plop\Local Settings\Temp\BDECache\bdeF.tmp
    Adware:Adware/BrilliantDigitalNot desinfected C:\Documents and Settings\Kabouter Plop\Local Settings\Temp\BDECache\bdeF.tmp[BDESac24.dll]
    Virus:W32/Tenga.A Disinfected C:\Documents and Settings\LeiFje\Bureaublad\Anime!\Other\zut\demos\ fr-025-final2\fr-025-final2.exe
    Virus:W32/Tenga.A Disinfected C:\Documents and Settings\LeiFje\Bureaublad\Anime!\Other\zut\demos\ fr-030_candytron_final\fr030-candytron-final-101.exe
    Adware:Adware/IPInsight Not desinfected C:\Documents and Settings\Tjan.AKIKO\Local Settings\Temp\alchem.inf
    Adware:Adware/IPInsight Not desinfected C:\Documents and Settings\Tjan.AKIKO\Local Settings\Temp\alchem.ini
    Spyware:Spyware/Altnet Not desinfected C:\Documents and Settings\Tjan.AKIKO\Local Settings\Temp\asmfiles.cab[asm.exe]
    Adware:Adware/Lop Not desinfected C:\Documents and Settings\Tjan.AKIKO\Local Settings\Temp\Inv99F.exe
    Adware:Adware/Lop Not desinfected C:\Documents and Settings\Tjan.AKIKO\Local Settings\Temp\pch262.exe

    Panda(2):
    Incident Status Location

    Spyware:spyware/whazit Not desinfected C:\WINDOWS\SYSTEM32\kyf.dat
    Adware:adware/sidesearch Not desinfected C:\PROGRAM FILES\Lycos
    Adware:adware/downloadware Not desinfected C:\PROGRAM FILES\MediaLoads
    Spyware:spyware/apropos Not desinfected C:\PROGRAM FILES\SysAI
    Adware:adware/ncase Not desinfected C:\WINDOWS\SYSTEM32\FLEOK
    Adware:adware/gator Not desinfected Windows Registry
    Dialerialer.VG Not desinfected C:\dialler.exe
    Adware:Adware/BrilliantDigitalNot desinfected C:\Documents and Settings\Kabouter Plop\Local Settings\Temp\BDECache\bde9F.tmp[bdedetect1.dll]
    Adware:Adware/BrilliantDigitalNot desinfected C:\Documents and Settings\Kabouter Plop\Local Settings\Temp\BDECache\bdeB.tmp[bdeinsta25.dll]
    Adware:Adware/BrilliantDigitalNot desinfected C:\Documents and Settings\Kabouter Plop\Local Settings\Temp\BDECache\bdeF.tmp
    Adware:Adware/BrilliantDigitalNot desinfected C:\Documents and Settings\Kabouter Plop\Local Settings\Temp\BDECache\bdeF.tmp[BDESac24.dll]
    Adware:Adware/IPInsight Not desinfected C:\Documents and Settings\Tjan.AKIKO\Local Settings\Temp\alchem.inf
    Adware:Adware/IPInsight Not desinfected C:\Documents and Settings\Tjan.AKIKO\Local Settings\Temp\alchem.ini
    Spyware:Spyware/Altnet Not desinfected C:\Documents and Settings\Tjan.AKIKO\Local Settings\Temp\asmfiles.cab[asm.exe]
    Adware:Adware/Lop Not desinfected C:\Documents and Settings\Tjan.AKIKO\Local Settings\Temp\Inv99F.exe
    Adware:Adware/Lop Not desinfected C:\Documents and Settings\Tjan.AKIKO\Local Settings\Temp\pch262.exe

    HijackThis:
    Logfile of HijackThis v1.99.1
    Scan saved at 4:09:04, on 14-12-2005
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Winamp3\winampa.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T 1.EXE
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T 1.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\FreeMem Standard\freemem.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Sonique\sqstart.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\mIRC\mirc.exe
    C:\Program Files\Sonique\Sonique.exe
    C:\Program Files\BitTornado\btdownloadgui.exe
    C:\Program Files\BitTornado\btdownloadgui.exe
    C:\hjt\hijackthis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [dircp] C:\WINDOWS\dircp.exe
    O4 - HKLM\..\Run: [\\TATS\EPSON Stylus C46 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T 1.EXE /P30 "\\TATS\EPSON Stylus C46 Series" /O6 "USB001" /M "Stylus C46"
    O4 - HKLM\..\Run: [Automatisch EPSON Stylus C46 Series op TATS] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T 1.EXE /P43 "Automatisch EPSON Stylus C46 Series op TATS" /O15 "\\TATS\EPSONSty" /M "Stylus C46"
    O4 - HKLM\..\Run: [\\BECCIE\EPSON Stylus C46 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T 1.EXE /P32 "\\BECCIE\EPSON Stylus C46 Series" /O6 "USB001" /M "Stylus C46"
    O4 - HKLM\..\Run: [Automatisch EPSON Stylus C46 Series op BECCIE] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T 1.EXE /P45 "Automatisch EPSON Stylus C46 Series op BECCIE" /O17 "\\BECCIE\EPSONSty" /M "Stylus C46"
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [FreeMem Pro] "C:\Program Files\FreeMem Standard\freemem.exe" Startup
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [SoniqueQuickStart] C:\Program Files\Sonique\sqstart.exe -nostick
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1126641881848
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O23 - Service: distributed.net client (dnetc) - Unknown owner - C:\Program Files\Ircow\dnetc.exe (file missing)
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe
    O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcSandraSrv.exe
  5. 14-12-2005  #5
    VopThis
    VopThis is offline Senior Member (Canada)
    Save 20% on AVG Internet Security 2012 Suite!
    (I will, incidentally, root out the spyware mentioned in Panda, but that isn't my main problem here.)
    PLease do so and post a revised Panda log.



    Thereafter, try the following additional scan:

    Please do an online scan with Kaspersky WebScanner

    Click on Kaspersky Online Scanner

    You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
    • The program will launch and then begin downloading the latest definition files:
    • Once the files have been downloaded click on NEXT
    • Now click on Scan Settings
    • In the scan settings make sure that the following are selected:
      • Scan using the following Anti-Virus database:
        - Extended (if available otherwise Standard)
      • Scan Options:
        - Scan Archives
        - Scan Mail Bases
    • Click OK
    • Now under select a target to scan:
      • Select My Computer
    • This program will start and scan your system.
    • The scan will take a while so be patient and let it run.
    • Once the scan is complete it will display if your system has been infected.
      • Now click on the Save as Text button:
    • Save the file to your desktop.
    • Copy and paste that information in your next post.
+ Reply to Thread
« Continuous Rebooting Cycle in XP(RESOLVED) | Re-booting problems.(RESOLVED) »